[PATCH] new version of conntrack-tcp-nopickup with sysctl

Sun, 19 May 2002 04:33:48 -0700 

Hi,

I've modified the conntrack-tcp-nopickup patch and added a sysctl, now
it's possible to change the behaviour during operation.
It adds a new moduleparameter too so you can specify the initial mode.
It's described in the help file.

sysctl: ip_conntrack_pickup , defaults to 1
moduleparameter: pickup , set it to the initial mode.


One possible use is to allow connection pickup after a reboot of the
router and then disable it after a while so that already existing active
connections has a change to continue to work.

Attached is a patch against current CVS (020518)

-- 
/Martin

Never argue with an idiot. They drag you down to their level, then beat
you with experience.

diff -urN netfilter/userspace/patch-o-matic/oldnat.orig/conntrack-tcp-nopickup.patch netfilter/userspace/patch-o-matic/oldnat/conntrack-tcp-nopickup.patch
--- netfilter/userspace/patch-o-matic/oldnat.orig/conntrack-tcp-nopickup.patch	Tue Feb 19 23:13:13 2002
+++ netfilter/userspace/patch-o-matic/oldnat/conntrack-tcp-nopickup.patch	Sun May 19 03:00:42 2002
@@ -1,40 +1,131 @@
-diff -Nru linuxppc-benh-190202-plain/net/ipv4/netfilter/ip_conntrack_proto_tcp.c linuxppc-benh-190202-nopickup/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
---- linuxppc-benh-190202-plain/net/ipv4/netfilter/ip_conntrack_proto_tcp.c	Thu Nov 29 14:40:32 2001
-+++ linuxppc-benh-190202-nopickup/net/ipv4/netfilter/ip_conntrack_proto_tcp.c	Tue Feb 19 23:50:57 2002
-@@ -72,6 +72,28 @@
+--- linux-2.4.19-pre8/include/linux/netfilter_ipv4/ip_conntrack_protocol.h.hej	Sun May 19 01:53:08 2002
++++ linux-2.4.19-pre8/include/linux/netfilter_ipv4/ip_conntrack_protocol.h	Sun May 19 02:39:31 2002
+@@ -62,4 +62,7 @@
+ extern struct ip_conntrack_protocol ip_conntrack_protocol_udp;
+ extern struct ip_conntrack_protocol ip_conntrack_protocol_icmp;
+ extern int ip_conntrack_protocol_tcp_init(void);
++
++extern int pickup;
++
+ #endif /*_IP_CONNTRACK_PROTOCOL_H*/
+--- linux-2.4.19-pre8/net/ipv4/netfilter/ip_conntrack_core.c.hej	Sun May 19 00:59:00 2002
++++ linux-2.4.19-pre8/net/ipv4/netfilter/ip_conntrack_core.c	Sun May 19 02:38:19 2002
+@@ -1258,6 +1258,8 @@
+ 
+ #define NET_IP_CONNTRACK_MAX 2089
+ #define NET_IP_CONNTRACK_MAX_NAME "ip_conntrack_max"
++#define NET_IP_CONNTRACK_PICKUP 2090
++#define NET_IP_CONNTRACK_PICKUP_NAME "ip_conntrack_pickup"
+ 
+ #ifdef CONFIG_SYSCTL
+ static struct ctl_table_header *ip_conntrack_sysctl_header;
+@@ -1265,6 +1267,8 @@
+ static ctl_table ip_conntrack_table[] = {
+ 	{ NET_IP_CONNTRACK_MAX, NET_IP_CONNTRACK_MAX_NAME, &ip_conntrack_max,
+ 	  sizeof(ip_conntrack_max), 0644,  NULL, proc_dointvec },
++	{ NET_IP_CONNTRACK_PICKUP, NET_IP_CONNTRACK_PICKUP_NAME, &pickup,
++	  sizeof(pickup), 0644,  NULL, proc_dointvec },
+  	{ 0 }
+ };
+ 
+@@ -1312,6 +1316,8 @@
+ 
+ static int hashsize = 0;
+ MODULE_PARM(hashsize, "i");
++
++MODULE_PARM(pickup, "i");
+ 
+ int __init ip_conntrack_init(void)
+ {
+--- linux-2.4.19-pre8/net/ipv4/netfilter/ip_conntrack_proto_tcp.c.hej	Sun May 19 01:07:40 2002
++++ linux-2.4.19-pre8/net/ipv4/netfilter/ip_conntrack_proto_tcp.c	Sun May 19 02:39:07 2002
+@@ -23,6 +23,8 @@
+ /* Protects conntrack->proto.tcp */
+ static DECLARE_RWLOCK(tcp_lock);
+ 
++static int pickup = 1;
++
+ /* FIXME: Examine ipfilter's timeouts and conntrack transitions more
+    closely.  They're more complex. --RR */
+ 
+@@ -75,24 +77,48 @@
  #define sLI TCP_CONNTRACK_LISTEN
  #define sIV TCP_CONNTRACK_MAX
  
-+#ifdef CONFIG_IP_NF_CONNTRACK_CONSERVATIVE
-+static enum tcp_conntrack tcp_conntracks[2][5][TCP_CONNTRACK_MAX] = {
-+	{
-+/*	ORIGINAL */
-+/* 	  sNO, sES, sSS, sSR, sFW, sTW, sCL, sCW, sLA, sLI 	*/
-+/*syn*/	{sSS, sES, sSS, sSR, sSS, sSS, sSS, sSS, sSS, sLI },
-+/*fin*/	{sIV, sFW, sSS, sTW, sFW, sTW, sCL, sTW, sLA, sLI },
-+/*ack*/	{sIV, sES, sSS, sES, sFW, sTW, sCL, sCW, sLA, sES },
-+/*rst*/ {sIV, sCL, sSS, sCL, sCL, sTW, sCL, sCL, sCL, sCL },
-+/*none*/{sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV }
-+	},
-+	{
-+/*	REPLY */
-+/* 	  sNO, sES, sSS, sSR, sFW, sTW, sCL, sCW, sLA, sLI 	*/
-+/*syn*/	{sIV, sES, sSR, sSR, sSR, sSR, sSR, sSR, sSR, sSR },
-+/*fin*/	{sIV, sCW, sSS, sTW, sTW, sTW, sCL, sCW, sLA, sLI },
-+/*ack*/	{sIV, sES, sSS, sSR, sFW, sTW, sCL, sCW, sCL, sLI },
-+/*rst*/ {sIV, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sLA, sLI },
-+/*none*/{sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV }
-+	}
-+};
-+#else
- static enum tcp_conntrack tcp_conntracks[2][5][TCP_CONNTRACK_MAX] = {
+-static enum tcp_conntrack tcp_conntracks[2][5][TCP_CONNTRACK_MAX] = {
++static enum tcp_conntrack tcp_conntracks[2][2][5][TCP_CONNTRACK_MAX] = {
+ 	{
+-/*	ORIGINAL */
+-/* 	  sNO, sES, sSS, sSR, sFW, sTW, sCL, sCW, sLA, sLI 	*/
+-/*syn*/	{sSS, sES, sSS, sSR, sSS, sSS, sSS, sSS, sSS, sLI },
+-/*fin*/	{sTW, sFW, sSS, sTW, sFW, sTW, sCL, sTW, sLA, sLI },
+-/*ack*/	{sES, sES, sSS, sES, sFW, sTW, sCL, sCW, sLA, sES },
+-/*rst*/ {sCL, sCL, sSS, sCL, sCL, sTW, sCL, sCL, sCL, sCL },
+-/*none*/{sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV }
++		/* No pickup */
++		{
++	/*     ORIGINAL */
++	/*       sNO, sES, sSS, sSR, sFW, sTW, sCL, sCW, sLA, sLI      */
++	/*syn*/        {sSS, sES, sSS, sSR, sSS, sSS, sSS, sSS, sSS, sLI },
++	/*fin*/        {sIV, sFW, sSS, sTW, sFW, sTW, sCL, sTW, sLA, sLI },
++	/*ack*/        {sIV, sES, sSS, sES, sFW, sTW, sCL, sCW, sLA, sES },
++	/*rst*/ {sIV, sCL, sSS, sCL, sCL, sTW, sCL, sCL, sCL, sCL },
++	/*none*/{sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV }
++		},
++		{
++	/*     REPLY */
++	/*       sNO, sES, sSS, sSR, sFW, sTW, sCL, sCW, sLA, sLI      */
++	/*syn*/        {sIV, sES, sSR, sSR, sSR, sSR, sSR, sSR, sSR, sSR },
++	/*fin*/        {sIV, sCW, sSS, sTW, sTW, sTW, sCL, sCW, sLA, sLI },
++	/*ack*/        {sIV, sES, sSS, sSR, sFW, sTW, sCL, sCW, sCL, sLI },
++	/*rst*/ {sIV, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sLA, sLI },
++	/*none*/{sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV }
++		}
+ 	},
  	{
- /*	ORIGINAL */
-@@ -92,6 +114,7 @@
- /*none*/{sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV }
+-/*	REPLY */
+-/* 	  sNO, sES, sSS, sSR, sFW, sTW, sCL, sCW, sLA, sLI 	*/
+-/*syn*/	{sSR, sES, sSR, sSR, sSR, sSR, sSR, sSR, sSR, sSR },
+-/*fin*/	{sCL, sCW, sSS, sTW, sTW, sTW, sCL, sCW, sLA, sLI },
+-/*ack*/	{sCL, sES, sSS, sSR, sFW, sTW, sCL, sCW, sCL, sLI },
+-/*rst*/ {sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sLA, sLI },
+-/*none*/{sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV }
++		/* Normal mode with pickup */
++		{
++	/*	ORIGINAL */
++	/* 	  sNO, sES, sSS, sSR, sFW, sTW, sCL, sCW, sLA, sLI 	*/
++	/*syn*/	{sSS, sES, sSS, sSR, sSS, sSS, sSS, sSS, sSS, sLI },
++	/*fin*/	{sTW, sFW, sSS, sTW, sFW, sTW, sCL, sTW, sLA, sLI },
++	/*ack*/	{sES, sES, sSS, sES, sFW, sTW, sCL, sCW, sLA, sES },
++	/*rst*/ {sCL, sCL, sSS, sCL, sCL, sTW, sCL, sCL, sCL, sCL },
++	/*none*/{sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV }
++		},
++		{
++	/*	REPLY */
++	/* 	  sNO, sES, sSS, sSR, sFW, sTW, sCL, sCW, sLA, sLI 	*/
++	/*syn*/	{sSR, sES, sSR, sSR, sSR, sSR, sSR, sSR, sSR, sSR },
++	/*fin*/	{sCL, sCW, sSS, sTW, sTW, sTW, sCL, sCW, sLA, sLI },
++	/*ack*/	{sCL, sES, sSS, sSR, sFW, sTW, sCL, sCW, sCL, sLI },
++	/*rst*/ {sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sLA, sLI },
++	/*none*/{sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV }
++		}
  	}
  };
-+#endif
  
- static int tcp_pkt_to_tuple(const void *datah, size_t datalen,
- 			    struct ip_conntrack_tuple *tuple)
+@@ -165,6 +191,7 @@
+ 	oldtcpstate = conntrack->proto.tcp.state;
+ 	newconntrack
+ 		= tcp_conntracks
++		[!!pickup]
+ 		[CTINFO2DIR(ctinfo)]
+ 		[get_conntrack_index(tcph)][oldtcpstate];
+ 
+@@ -217,7 +244,7 @@
+ 
+ 	/* Don't need lock here: this conntrack not in circulation yet */
+ 	newconntrack
+-		= tcp_conntracks[0][get_conntrack_index(tcph)]
++		= tcp_conntracks[!!pickup][0][get_conntrack_index(tcph)]
+ 		[TCP_CONNTRACK_NONE];
+ 
+ 	/* Invalid: delete conntrack */
diff -urN netfilter/userspace/patch-o-matic/oldnat.orig/conntrack-tcp-nopickup.patch.config.in netfilter/userspace/patch-o-matic/oldnat/conntrack-tcp-nopickup.patch.config.in
--- netfilter/userspace/patch-o-matic/oldnat.orig/conntrack-tcp-nopickup.patch.config.in	Tue Feb 19 23:13:13 2002
+++ netfilter/userspace/patch-o-matic/oldnat/conntrack-tcp-nopickup.patch.config.in	Thu Jan  1 01:00:00 1970
@@ -1,2 +0,0 @@
-  dep_tristate '  FTP protocol support' CONFIG_IP_NF_FTP $CONFIG_IP_NF_CONNTRACK
-  bool '  Conservative TCP tracking' CONFIG_IP_NF_CONNTRACK_CONSERVATIVE
diff -urN netfilter/userspace/patch-o-matic/oldnat.orig/conntrack-tcp-nopickup.patch.configure.help netfilter/userspace/patch-o-matic/oldnat/conntrack-tcp-nopickup.patch.configure.help
--- netfilter/userspace/patch-o-matic/oldnat.orig/conntrack-tcp-nopickup.patch.configure.help	Tue Feb 19 23:13:13 2002
+++ netfilter/userspace/patch-o-matic/oldnat/conntrack-tcp-nopickup.patch.configure.help	Thu Jan  1 01:00:00 1970
@@ -1,13 +0,0 @@
-CONFIG_IP_NF_FTP
-Conservative TCP state tracking
-CONFIG_IP_NF_CONNTRACK_CONSERVATIVE
-  This is an EXPERIMENTAL patch making TCP connection tracking behave 
-  more conservative.  If this option is enabled, it will only track 
-  connections which are started after ip_conntrack.o was loaded (or
-  your firewall booted).  It does no attempt on picking up old, 
-  previously established TCP connections.
-
-  This might help in some rare cases where you have problems with ACK
-  flooding filling up your connection tracking tables...
-
-  If unsure, say `N'.
diff -urN netfilter/userspace/patch-o-matic/oldnat.orig/conntrack-tcp-nopickup.patch.help netfilter/userspace/patch-o-matic/oldnat/conntrack-tcp-nopickup.patch.help
--- netfilter/userspace/patch-o-matic/oldnat.orig/conntrack-tcp-nopickup.patch.help	Tue Feb 19 23:13:13 2002
+++ netfilter/userspace/patch-o-matic/oldnat/conntrack-tcp-nopickup.patch.help	Sun May 19 03:01:43 2002
@@ -1,17 +1,35 @@
 Author: Harald Welte <[EMAIL PROTECTED]>
+Modified by: Martin Josefsson <[EMAIL PROTECTED]>
 Status: Highly Experimental
 
 This patch affects the TCP state tracking machine.
 
-It alters it in a way, that it will only track TCP connections which are
-established _after_ loading ip_conntrack.o on the firewall.
-
-This means, after reloading ip_conntrack.o or a firewall reboot, all TCP 
-connections are gone.  No connection pickup is working anymore.
+It introduces a new sysctl called ip_conntrack_pickup which defaults to true.
+The initial state is configurable by using a new moduleparameter for
+ip_conntrack called pickup.
+
+If ip_conntrack_pickup is true it will accept packets in connections that were
+established before ip_conntrack.o was loaded. If it's false then it will mark
+those packets as INVALID.
 
 So what's the advantage of this patch?  It can help in certain setups,
 where you get ACK-flooded and the machine which is ACK-scanned is not
 up or in some other way unable to send RST's.
 
+One other possible use is to allow pickup after a reboot so active connections
+can be picked up and continue to work. And then disable pickup after a while.
+
 Please give me feedback if you use this patch.
 
+**************
+*** NOTICE ***
+**************
+
+This new version of this patch doesn't have the configuration option which
+selected which mode conntrack should operate in. Now you have to set it with
+the moduleparameter when loading ip_conntrack.o or during operation via the
+sysctl.
+
+**************
+*** NOTICE ***
+**************

Reply via email to